IT Freedom Blog

Cyber Insurance: Is it worth it?

It’s no secret that data breaches cost businesses a lot of money, an average of $3.86 million to be more exact. So what if there was a way to help recoup or cover some of the post breach expenses? Well, that’s where cyber insurance comes in. Cyber insurance, cyber liability coverage, data compromise coverage, all different names for policies designed to accomplish the same goal - to mitigate the risks and costs involved with recovery from a data breach or similar cyber attack that exposes:

Sensitive customer information

Social security numbers

Drivers license numbers

Account numbers

Credit card numbers

Health records

According to PWC Global around one-third of US companies have purchased cyber insurance.

Who Provides Cyber Insurance?

Most insurance companies today offer some form of cyber insurance, whether as its own full policy or as an add-on to existing business insurance policies. While many offer policies there are a few that are rated higher than others and come more recommended. These companies include, but are not limited to:

What Does Cyber Insurance Cover?

Cyber insurance policies generally provide coverage for 1st party damages, or damages suffered by you and your business, and 3rd party damages, or damages to your customers and partners. Included in these two categories are expenses related to:

Legal fees

Notification of customers and partners

Data recovery

System repairs

Any efforts made to restore customers personal identities

Forensic investigations

Extortion reimbursements - in the case that a ransom was paid to retrieve data

Looking at this list, it’s no surprise that data breach costs can run in the millions, and having someone to help cover those costs would be a great help to almost all businesses.

What Doesn't Cyber Insurance Cover?

As with most insurance policies there are some things cyber insurance doesn’t cover. This includes things like intellectual property loss and costs that can be hard to calculate like reputation damages, lost revenue, or lost productivity costs. It’s also possible it won’t cover anything over any sublimit caps that may be written into your policy. Sublimits are maximums that they will pay out for things like breach notification or legal fees, and anything above those caps your business will be responsible for.

There are two other big exceptions to cyber insurance policies we want to talk about.

Negligence

Many cyber insurance policies include exclusions for breaches resulting from poor security practices, or negligent employees. Your policy could even be invalidated if your company is no longer in compliance with your insurance companies minimum standards and other regulatory compliance standards like HIPAA and PCI. So while you’re looking at insurance policies, it’s also a good idea to be working with a cyber security professional to ensure your security is where it should be.

The "War Exclusion" Clause

The war exclusion clause relieves insurance companies of their obligation to pay out on policies for:

“Hostile or warlike action in time of peace, or war, including action in hindering, combating, or defending against an actual, impending, or expected attack by any: (i)government or sovereign power (de jure or de facto); (ii)military, naval, or air force; or (iii) agent or authority of any party specified in (i) or (ii) above.”

Essentially if your company is hit with a cyber attack that is deemed an act of war, insurance companies may not be responsible to cover anything.

This has been an extremely controversial topic in the courts lately after Mondelez (a manufacturer of processed foods such as Ritz and Chips Ahoy) submitted a claim with their insurance company after falling victim to the NotPetya attack in 2017, and were denied by reason of the “war exclusion” clause. Their insurance company was able to use this reasoning because NotPetya was tied to Russia and their conflict with the Ukraine. So even though Mondelez was not the intended target (the target was a Ukranian software company and its customers) they are on the hook for all damages - even with a cyber insurance policy.

As of late the government has been increasingly likely to attribute attacks like NotPetya to other nations and acts of war, which according to Ariel Levite means “running a huge risk that cyber insurance in the future will be worthless.” We don’t believe it’s gotten to the point where cyber insurance can be deemed worthless, but it is something to consider going forward.

So, is Cyber Insurance Worth it?

The answer to this question really depends on your business, and the risks your business faces. There are plenty of instances where cyber insurance has come through to help mitigate the costs of a data breach, and saved companies from possible bankruptcy, but there are instances in which it hasn’t come through. This is why it’s important to read through your policy, know your current risks, and what your coverage will and will not cover. This is also why it’s important to ensure adequate security practices within your business. Cyber insurance should always be Plan B with Plan A being a well secured and compliant company.

Cyber insurance could do wonders for your peace of mind, but with the current litigation surrounding it and possible future implications, having proper security processes and procedures are key as a primary line of defense.